Blog

Migrating Google G Suite data with a service account

In addition to Gmail source support and Google Docs in-migration conversion, we have added the ability to configure and use a delegated service account to handle authentication for all of your G Suite users, be they Google Drive or Gmail.

This article sets out the once-off configuration steps required to create and use a delegated service account.

Configuration Overview

In order to create an authorized service account to use with Simply Migrate to access user’s data, your G Suite admin will need to perform some steps to create the service account and grant it the appropriate access. Once done that account can then be used to migrate all users with no further authentication requirements.

Note: This wizard will create a project and enable the Gmail, Drive, Calendar and Contacts APIs in one simple step, if you are familiar with the G Suite admin console you can do this manually from APIs & Services menu.

Once the project is created click Go to credentials:

The Setup Wizard will continue and try to suggest the appropriate credentials, however, we know what we need so from step 1 click the text link service account(highlighted in yellow):

Once the API client is authorized you are ready to start migrating data.

For more details on the above configured Scopes, they provide access to the following resources that are required depending on the Source / Target you are migrating. If you only require for example Google Drive data access, then the Gmail related scopes can be omitted and vice versa.

Scopes required for Gmail (including Google Calendar) support

https://www.googleapis.com/auth/gmail.labels

https://www.googleapis.com/auth/gmail.modify

https://www.googleapis.com/auth/calendar

https://www.googleapis.com/auth/contacts

https://www.googleapis.com/auth/drive (NOTE: this is required for Calendar support as attachments are stored in drive)

Scopes required for Google Drive support

https://www.googleapis.com/auth/drive

https://www.googleapis.com/auth/drive.metadata

Step 3: Configuring Simply Migrate to use the service account

In the final step of this process, we need to configure the above settings for use in Simply Migrate, this is done as follows:

On each migration machine, the OAuthApplication for Google must be created using the Scopes configured above.

New jobs are then created using the .json file stored locally on the migration machine for authentication.

Configure the SimplyMigrate Google OAuth Application settings

Open the Simply Migrate Management Shell and enter the following command, including all of the scopes configured above.

The Client ID and Secrets are not provided in the command line, they will be contained in the JSON file allowing multiple service accounts to be used (e.g. you’ll need a different one for the source and target if migrating between G Suite domains).

Create a job using the service account JSON

Finally, you can now create your jobs using the JSON credential file created previously. In the following example, I’ll create a simple report target Gmail job to illustrate how to input the JSON file using the SourceAuthCode (or TargetAuthCode) job option in the place of any credentials.